RazorHost _UserList sample exposes on a Portal all user's names and emails on Host

Description

Standard RazorHost sample script _UserList returns all of the users on a DNN installation. In a situation where the site is hosting many customers as portals, this exposes the complete list of customers (users) names and email addresses if the individual portal is allowed to use the RazorHost module (default).
I tested this on a free hosting service, was able to create a bogus free portal and gain access to the complete list of users (actually got tired of waiting for all 62 thousand users to be returned ).
The attached revised script would only list out the users of the single portal, leaving responsibility of protecting the user information with that portal admin.

QA Test Plan

None

Activity

Show:
Ken Grierson
September 12, 2014, 11:10 PM

Verified script fix
7.3.3 build 93 platform/content clean installation and upgrade scenarios

Ken Grierson
November 4, 2014, 10:25 PM

Re-verified Platform/Content 7.3.4 build 45
The UserList sample script only returns users for a single portal where it is run

Assignee

Ken Grierson

Reporter

Evan Smith

Story Size

XS

Severity

Major

Triage

New

Reported in Build #

None

Fixed in Build

Dev Owner

None

Includes Code Fix

Yes

Documentation Required

No

Trouble Ticket

None

Requires More Info

None

QA Story Points

None

QA Owner

None

Injected

None

Automation Required

None

Code Review Owner

None

Story Points

1

Components

Fix versions

Affects versions

Priority

High
Configure